Missing condition for granting 'forwardable' flag on S4U2Self tickets
CVE-2024-2698

8.8HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8.8 Extended Update Support
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9.2 Extended Update Support
Vendor
CVE Published:
12 June 2024

Summary

A flaw exists in FreeIPA concerning the initial implementation of MS-SFU by MIT Kerberos, where the condition for granting the 'forwardable' flag was overlooked in S4U2Self tickets. This flaw necessitated an adjustment in the check_allowed_to_delegate() function: a NULL target service argument indicates that the KDC is investigating general constrained delegation rules instead of a specific S4U2Proxy request. In FreeIPA version 4.11.0, the ipadb_match_acl() functionality was modified to reflect changes from upstream MIT Kerberos 1.20. Nonetheless, an oversight caused this mechanism to apply improperly, allowing S4U2Proxy requests to be granted regardless of the existence of a corresponding service delegation rule.

Affected Version(s)

Red Hat Enterprise Linux 8 8100020240528133707.823393f5

Red Hat Enterprise Linux 8.8 Extended Update Support 8080020240530051744.b0a6ceea

Red Hat Enterprise Linux 9 0:4.11.0-15.el9_4

References

https://access.redhat.com/errata/RHSA-2024:3754
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3755
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3757
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.